How PCI DSS 3.0 impacts business owners

If your business processes, transmits, or stores credit card data, you are subject to the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS 3.0 went into effect in 2014, and introduced new rules and a clarified direction for the guidelines. Among the most important things for a merchant to know about the PCI DSS is that it’s constantly evolving, so staying current is an important responsibility.

Remember, these industry-created, industry-maintained, and industry-enforced security rules were designed to standardize security best practices for merchants – and curb costly credit card data thefts.

Based on insight from security experts, the card brands, and merchants, the PCI Security Standards Council periodically refines the guidelines to reflect current data security risks and best practices. While the changes are intended to help merchants make transactions safer for themselves and consumers, updates to the rules can also be highly confusing for business owners.

What do you need to know about the new version, and how can you prepare for more changes on the horizon?

Which version?
Non-compliance with PCI rules can result in serious fines: anywhere from $5,000 to $100,000 a month, with the punishments getting more severe if you experience a data breach while out of compliance. If you refuse to fix your problems, you could even lose your ability to take credit cards.

Right off the bat, you should know that you don’t have to scramble if you’re not up to date with the new changes. Here’s why: Version 3.0 of the PCI compliance guidelines went into effect on January 1, 2014, but merchants have until 2015 to familiarize themselves with the new rules. For this year only, you may choose to demonstrate compliance against either Version 2.0 or the new Version 3.0.

Which should you choose? That depends entirely on your priorities. If you’re eager to settle your PCI responsibilities, or if the nature of your business means data security is a particularly complex proposition, then it may make sense to get ahead of the game as soon as possible by validating against version 3.0. Similarly, if you’re only just now getting into compliance for the first time, then you might as well get into compliance with the rules that will be mandated in less than five months.

However, let’s say you’ve already demonstrated compliance against Version 2.0, and you have other challenges and business priorities on your plate. In this case, you may choose to validate against version 2.0 again this year, but it’s important that you get acquainted with the changes that are on their way, so you’ll be prepared when they go into effect on January 1, 2015.

What’s changed?
What do those changes look like? Existing rules have been revised and some new rules have been added. Overall, Version 3.0 works to bring greater clarity and standardization to the rules, helping to make them more precise and easier to understand.

What does this mean in practical terms? Previously, merchants were simply required to conduct a penetration test, which is a serious effort by security experts to break into your systems and identify points of vulnerability in your network. But not every merchant knew what constituted a serious test. Some merchants reported results from free vulnerability scanning tools or “DIY” penetration tests – conducted by unqualified internal IT personnel – and these methods simply didn’t provide the kind of robust verification that the rule was created to enforce. These merchants had met the letter of the rule, but not the spirit, potentially opening themselves and their customers to data theft in the process.

In Version 3.0 of the PCI compliance guidelines, the rule specifies that merchants have to utilize a “generally accepted methodology” when conducting a penetration test. And while internal resources can be used for penetration testing, they must be properly qualified to conduct such testing.

Practical steps
What can you do today to ensure that you’re in compliance and prepare for the transition to Version 3.0?

First, talk to your acquiring bank – this is the entity that actually enforces PCI compliance guidelines on for your organization. If you’re breached and/or found to be out of compliance, you’ll be fined by your bank, not the card brands. (In fact, the card brands fine your bank, but your bank will likely pass the cost on to you.) Your bank likewise decides whether you must demonstrate compliance through a self-reporting questionnaire or full PCI compliance audit. Make sure to discuss your acquiring bank’s compliance expectations so you can stay on top of things.

Next, merchants who are currently using PCI DSS 2.0 should identify the controls they will have to update for 3.0 as soon as possible. Even if you’ve still got time to make the actual adjustments, be sure that you understand what you will need to do well before the new guidelines go into effect. If you don’t have a large security team, the PCI Security Standards Council’s website for small and medium-sized businesses also provides a wealth of resources to help smaller merchants get into genuine compliance more effectively.

While it may feel like another hoop to jump through at times, the PCI DSS can be a real asset to businesses. The rules provide useful standards for robust and practical data security. When put into place, the rules can help protect you and your customers, making security part of your day-to-day business.